Service Provider's Activation Service on AR

[emiliocimino]

Good morning everyone,
I've a couple of questions about the interaction between the activation service of the PacketDelivery company (service provider) and the marketplace:

1. How marketplace decide where to create the policy on the activation service? Is it based on the activation service link provided by the packet delivery employee when he created the service?
2. Can a HappyPet/NoCheaper employee create a product offering on the marketplace?
3. If both questions above have a "yes" answer, can a HappyPet employee create a fraudolent offering with the PacketDelivery Activation Service and Context Broker urls, maybe with Delete all attributes, and then buy it? In this case, will the marketplace store in the PacketDelivery company's AR the policy of deleting everything on behalf of HappyPets? If not, what did I miss in the documentation that protects those kind of situations?

Thanks,
Emilio

[dwendland]

Hi Emilio,

many thanks for the hint. We didn't consider that scenario.

For a quick solution we decided to introduce an (optional) API key at the activation service. For each endpoint, an API key can be configured (or automatically generated during deployment), which will be required in the header of each request.
Compare the PR for the AS: i4Trust/activation-service#18

When filling the asset configuration of the product specification on the marketplace, one can provide the API key, which will be then sent in the request header during acquisition.
Compare the PR for the BAE plugin: i4Trust/bae-i4trust-service#18

This ensures, that only offerings created by the actual service provider, can create policies through the AS at the provider AR.

The AS helm chart has been also updated: i4Trust/helm-charts#66, as well as the tutorial documentation: #30

Please let us know if this works for you.